<!DOCTYPE HTML>
<html lang="en">
    <head>
    <meta charset="UTF-8"/>


    <title>Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors</title>
    
    

<script type="application/ld+json">
    {
        "@context": "https://schema.org",
        "@type": "NewsArticle",
        "mainEntityOfPage": {
            "@type": "WebPage",
            "@id": "https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors"
        },
        "headline": "Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors",
        "image": [
            "/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-350x350-tycoon-ransomware-060420.png",
            "/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-875x530-tycoon-ransomware-060420.png"
        ],
        "datePublished": "2020-06-04T01:10:00.000-07:00",
        "author": [{
                    "@type": "Person",
                    "name": "The BlackBerry Research & Intelligence Team"
                }
,{
                    "@type": "Person",
                    "name": "KPMG’s UK Cyber Response Services Team"
                }
],
        "publisher": {
            "@type": "Organization",
            "name": "BlackBerry",
            "logo": {
                "@type": "ImageObject",
                "url": "https://blogs.blackberry.com/content/dam/blackberry-com/Images/logos/BlackBerry_Logo_Black_150.png"
            }
        }
    }
</script>

    
    <meta name="description" content="The BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services recently unearthed a new ransomware strain written in Java. Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that uses highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in the education and software industries."/>
    
    <link rel="icon" href="/etc.clientlibs/bbcom/clientlibs/clientlib-etc-legacy/resources/bbcom-aem-project/images/favicon.ico"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
    
    
    
    <link rel="canonical" href="https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors"/>
    <meta name="author" content="blogs.blackberry.com"/>
    <meta property="og:url" content="https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors"/>
    <meta property="og:title" content="Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors"/>
    <meta property="og:description" content="The BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services recently unearthed a new ransomware strain written in Java. Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that uses highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in the education and software industries."/>
    <meta property="og:type" content="article"/>
    <meta property="og:image" content="https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-875x530-tycoon-ransomware-060420.png"/>
    <meta name="twitter:card" content="summary_large_image"/>
    <meta name="twitter:site" content="@BlackBerry"/>
    <meta name="twitter:title" content="Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors"/>
    <meta name="twitter:description" content="The BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services recently unearthed a new ransomware strain written in Java. Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that uses highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in the education and software industries."/>
    <meta name="twitter:image" content="https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-875x530-tycoon-ransomware-060420.png"/>

    

    
    
<link rel="stylesheet" href="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-site.min.7737ed8dda6719e4f8a420ddbec72a71.css" type="text/css">



<!--<sly data-sly-use.clientLib="/libs/granite/sightly/templates/clientlib.html"-->
<!--     data-sly-call=""/>-->

    






<!--<script>-->
<!--    (function(g,b,d,f){(function(a,c,d){if(a){var e=b.createElement("style");e.id=c;e.innerHTML=d;a.appendChild(e)}})(b.getElementsByTagName("head")[0],"at-body-style",d);setTimeout(function(){var a=b.getElementsByTagName("head")[0];if(a){var c=b.getElementById("at-body-style");c&&a.removeChild(c)}},f)})(window,document,"body {opacity: 0 !important}",3E3);-->
<!--</script>-->

<script>
    var digitalData = {
        page: {
            pageInfo: {
                pageTitle: "Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors",
                pageName: "en:2020:06:threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors",
                domain:"blogs.blackberry.com",
                hierarchy:["en","2020","06","threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors"],
                timeStamp:"2021-12-24 00:32:14",
                country:"GB"
            }
        }
    }
</script>



    <script src="//assets.adobedtm.com/cb3160b9e813/dd47d4a7a48e/launch-17c42c38011b.min.js" async></script>
<!--    <sly data-sly-include="/apps/adobe-analytics/asset-insights/prod.html"></sly>-->









<script>
    digitalData.blogPost = {
        authors:  "The BlackBerry Research & Intelligence Team,KPMG’s UK Cyber Response Services Team",
        categories: "Endpoint Protection"
    }
</script>


<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
        })(window,document,'script','dataLayer','GTM-TXGFP23');</script>
<!-- End Google Tag Manager -->


<!-- Bizible -->
<script type="text/javascript" src="//cdn.bizible.com/scripts/bizible.js" async=""></script>
    
    
    

    
    
    
    

    
</head>
    <body class="page basicpage" data-enable-history="true">
        
        
            



            


<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TXGFP23" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->
  
<!--
<sly data-sly-use.templatedContainer="com.day.cq.wcm.foundation.TemplatedContainer"
   data-sly-repeat.child=""
   data-sly-resource=""/>
-->

<header>
    




    
    
    
<!-- BEGIN DO NOT INDEX -->

    

<!-- skip to content: START -->
<a href='#' class='skipNav' tabindex="0">Skip Navigation</a>
<!-- skip to content: END-->
<!-- BEGIN DO NOT INDEX -->
<div class="blogs-nav-container">
  <nav class="navbar container navbar-expand-lg navbar-light blogs-navigationv1" aria-label="Main Navigation">
    
    <a class="nav-brand" href="https://blogs.blackberry.com/en">
      <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 263 58" style="enable-background:new 0 0 263 58;" xml:space="preserve">
        <style type="text/css">
          .st0 {
            fill: white;
          }
        </style>
        <g>
          <g>
            <g>
              <g>
                <path class="st0" d="M128.9,34.6c-0.2,0.5-1.5,2.9-4.6,2.9c-3.6,0-5-3-5-5.2c0-3.6,2.5-6.9,6.1-6.9c3.9,0,4.8,2.9,4.9,3.4h5.7
                                   c0.3-2.1-1.4-8.7-10.4-8.7c-6.6,0-11.9,5.3-11.9,12.3c0,5.8,3.6,10.2,10.3,10.2c8.3,0,10.6-6.5,10.9-8.1L128.9,34.6L128.9,34.6z
                                   "/>
                <path class="st0" d="M85.1,36.2c0-0.3,0.1-1,0.4-2.3S89.8,14,89.8,14h-5.4L80,34.5c-0.2,0.9-0.3,1.7-0.3,2.5
                                   c0,4.5,3.5,5.8,6.3,5.8c1,0,1.9-0.2,2.2-0.2c0.1-0.4,0.9-4.3,1-4.5c-0.1,0-0.7,0.1-1.4,0.1C85.7,38.1,85.1,37.3,85.1,36.2z"/>
                <polygon class="st0" points="161.2,20.2 153.7,20.2 144.1,28.9 147.4,13.9 142,13.9 135.8,42.3 141.2,42.3 142.7,35.4 146,32.8 
                                   150.6,42.3 156.6,42.3 150.1,29.5 				"/>
                <path class="st0" d="M55.6,33.5c0.4-2,4.3-19.6,4.3-19.6s6.6,0,10.2,0c7.4,0,9.2,4.1,9.2,6.6c0,5.5-5.2,7-5.9,7.2
                                   c0.6,0.2,4,1.5,4,5.9c0,4.7-4.4,8.7-11.1,8.7c0,0-2.4,0-3.1,0C57.6,42.3,54.5,38.4,55.6,33.5z M71.6,33.2c0-1.3-0.9-3-4.7-3h-5
                                   L60.5,37h5.6C69.7,37,71.6,35.4,71.6,33.2z M73.4,21.7c0-1.4-1.1-2.6-3.6-2.6h-5.5l-1.2,5.7h5.7C71.9,24.9,73.4,23.4,73.4,21.7z
                                   "/>
                <path class="st0" d="M158.7,33.5c0.4-2,4.3-19.6,4.3-19.6s6.6,0,10.2,0c7.4,0,9.2,4.1,9.2,6.6c0,5.5-5.2,7-5.9,7.2
                                   c0.6,0.2,4,1.5,4,5.9c0,4.7-4.4,8.7-11.1,8.7c0,0-2.4,0-3.1,0C160.7,42.3,157.7,38.4,158.7,33.5z M174.7,33.2c0-1.3-0.9-3-4.7-3
                                   h-5l-1.5,6.9h5.6C172.9,37,174.7,35.4,174.7,33.2z M176.6,21.7c0-1.4-1-2.6-3.6-2.6h-5.5l-1.2,5.7h5.7
                                   C175,24.9,176.6,23.4,176.6,21.7z"/>
                <path class="st0" d="M219.5,20.2c-5.7,0-9.6,3.4-10.9,9.7c-0.6,2.7-2.6,12.3-2.6,12.3h5.4c0,0,2-9.1,2.6-12c0.8-3.8,2.8-5,5.5-5
                                   c0.9,0,1.4,0.1,1.7,0.1c0.1-0.8,0.9-4.2,1.1-5C221.6,20.4,220.7,20.2,219.5,20.2z"/>
                <path class="st0" d="M237.7,50.7l18-30.5h-5.8l-8.3,14.4l-1.9-14.4c0,0-2.9,0-6.2,0c-7.1,0-10.8,3.2-12.1,9.4
                                   c-0.7,3.1-2.7,12.6-2.7,12.6h5.4c0,0,2-9.1,2.7-12.7c0.8-3.5,3.4-4.6,6.2-4l1.1-5.2c0.8,4.9,3.4,20.8,3.4,20.8l-5.6,9.6
                                   C231.9,50.7,237.7,50.7,237.7,50.7z"/>
                <path class="st0" d="M100.5,32.9c1.2-0.2,4.6-0.7,5.1-0.8c-0.1,0.4-0.2,1-0.3,1.4c-0.6,2.7-3.3,4.4-6.3,4.4c-1.9,0-3-1-3-2.3
                                   C95.9,34.6,96.9,33.4,100.5,32.9z M98.5,27.1c0.1-0.2,1.5-2.3,4.9-2.3c2.1,0,3.2,0.8,3.2,1.7c0,1.3-2.2,1.7-5.9,2.2
                                   c-6.4,0.9-10.5,2.9-10.5,7.5c0,3.3,2.7,6.5,7.6,6.5c4,0,6.1-2.4,6.3-2.6c0,0.6,0.1,1.5,0.2,2.2c0.4,0,4.2,0,5.5,0
                                   c-0.2-1-0.6-2.8,0.1-5.7c0.3-1.5,1.3-6,1.8-8.5c0.9-4.6-1.6-7.9-8.1-7.9c-8.4,0-10.8,6-11.2,7h6.1V27.1z"/>
                <path class="st0" d="M198.1,35.7c-0.2,0.4-1.5,2.3-4.4,2.3c-4.2,0-5.2-3.6-5.1-4.5c2.2,0,15.2,0,16.3,0c0.1-0.4,0.5-1.9,0.5-3.3
                                   c0-5.2-3.5-9.9-10.6-9.9c-6.5,0-11.7,5.4-11.7,11.9c0,6.2,3.8,10.7,10.4,10.7c8.2,0,10.4-6.4,10.6-7
                                   C202.7,35.7,198.1,35.7,198.1,35.7z M194.9,25.1c3.6,0,5,2.2,4.8,4c-2.1,0-8.2,0-10.3,0C189.7,27.9,191.4,25.1,194.9,25.1z"/>
              </g>
              <g>
                <path class="st0" d="M21.7,10.7c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0l-1.5,7.1c0,0,2.9,0,5.6,0
                                   C20.4,14.7,21.7,12.6,21.7,10.7z"/>
                <path class="st0" d="M36.2,10.7c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0L25,14.7c0,0,2.9,0,5.6,0C35,14.7,36.2,12.6,36.2,10.7
                                   z"/>
                <path class="st0" d="M19.7,21.4c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0l-1.5,7.1c0,0,2.9,0,5.6,0
                                   C18.5,25.4,19.7,23.3,19.7,21.4z"/>
                <path class="st0" d="M34.3,21.4c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0L23,25.4c0,0,2.9,0,5.6,0C33,25.4,34.3,23.3,34.3,21.4
                                   z"/>
                <path class="st0" d="M49.5,17c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0L38.2,21c0,0,2.9,0,5.6,0C48.2,21,49.5,19,49.5,17z"/>
                <path class="st0" d="M47.4,28.1c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0l-1.5,7.1c0,0,2.9,0,5.6,0
                                   C46.1,32.1,47.4,30.1,47.4,28.1z"/>
                <path class="st0" d="M32.2,32.5c0-1.4-0.8-3.1-4.3-3.1c-1.4,0-5.4,0-5.4,0L21,36.5c0,0,2.9,0,5.6,0
                                   C30.9,36.5,32.2,34.4,32.2,32.5z"/>
              </g>
            </g>
          </g>
        </g>
        <g>
          <path class="st0" d="M252.7,36c1.7,0,3.2,1.4,3.2,3.2c0,1.9-1.5,3.2-3.2,3.2c-1.8,0-3.2-1.4-3.2-3.2C249.5,37.3,251,36,252.7,36z
                        M252.7,36.5c-1.5,0-2.6,1.1-2.6,2.7c0,1.6,1.1,2.7,2.6,2.7s2.6-1.1,2.6-2.7S254.2,36.5,252.7,36.5z M252,41h-0.6v-3.7h1.4
                       c0.9,0,1.3,0.3,1.3,1.1c0,0.7-0.4,0.9-1,1l1.1,1.6h-0.6l-1-1.6H252V41z M252,38.9h0.7c0.7,0,0.9-0.2,0.9-0.6c0-0.4-0.2-0.6-0.8-0.6
                       H252V38.9z"/>
        </g>
      </svg>
      <!-- <span class="seperator">|</span>
    <span class="blogs-text">DOCS</span> -->
    </a><button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse" data-target="#navigationv1">
      <span></span>
      <span></span>
      <span></span>
    </button>
    <div class="collapse navbar-collapse" id="navigationv1">
      <ul class="navbar-nav">
        <li class="nav-item dropdown ">
          
          
            <a class="nav-link dropdown-toggle" data-toggle="dropdown">TOPICS</a>
            
            

<div class="dropdown-menu py-1" data-two-column-layout="false">
    <!--%simple dropdown%-->

    <div class="col-md-12 px-1">
        





<ul role="menu" class="list-unstyled">
    <li role="none">
        
            <a href="/en/category/software-solutions/unified-endpoint-management#nav" role="menuitem" class="dropdown-item ">Unified Endpoint Management</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/software-solutions/unified-endpoint-security#nav" role="menuitem" class="dropdown-item ">Unified Endpoint Security</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/software-solutions/secure_comms/crisis-communications#nav" role="menuitem" class="dropdown-item ">Crisis Communications</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/software-solutions/secure_comms#nav" role="menuitem" class="dropdown-item ">Secure Communications</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/industries/automotive#nav" role="menuitem" class="dropdown-item ">Automotive</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/research-and-intelligence#nav" role="menuitem" class="dropdown-item ">Research &amp; Intelligence</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/security/zero-trust#nav" role="menuitem" class="dropdown-item ">Zero Trust</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/security/mobile-security/remote-working#nav" role="menuitem" class="dropdown-item ">Remote Working</a>
        
        
    </li>

    <li role="none">
        
            <a href="/en/category/software-solutions/business-continuity#nav" role="menuitem" class="dropdown-item ">Business Continuity</a>
        
        
    </li>
</ul>

    </div>



    <!--%simple dropdown%-->

    <div class="col-md-12 px-1">
        







    </div>


</div>


          
        </li>
        <li class="nav-item dropdown">
          <a class="nav-link dropdown-toggle" data-toggle="dropdown">BLOGS</a>
          <div class="dropdown-menu py-1" data-two-column-layout="false">
            <!--%simple dropdown%-->
            <div class="col-md-12 px-1">

              <ul role="menu" class="list-unstyled">
                <li role="none">
                  <a href="https://blogs.blackberry.com#nav" rel="noopener" role="menuitem" class="dropdown-item ">BlackBerry ThreatVector Blog </a>
                </li>
                
                <li role="none">
                  <a href="https://devblog.blackberry.com#nav" rel="noopener" role="menuitem" class="dropdown-item " target="_blank">Developer Blog</a>
                </li>
                <li role="none">
                  <a href="https://helpblog.blackberry.com#nav" rel="noopener" role="menuitem" class="dropdown-item " target="_blank">Help Blog</a>
                </li>
              </ul>
            </div>

          </div>
        </li>
        <li class="nav-item bbcom">
          <a class="nav-link" target="_blank" href="https://www.blackberry.com#nav">BLACKBERRY.COM</a>
        </li>
      </ul>
      <ul class="navbar-nav ml-auto">
        <li class="nav-item active">
          
          <a class="nav-link open-search-btn" role="button">
            <svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
              <path fill="currentColor" d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
              </path>
            </svg>
          </a>
          <div id="searchOverlay" class="search-overlay">
            <span class="close-search-btn" title="Close Search">×</span>
            <div class="overlay-content">
              <form id="search-form">
                <input id="search-form--input" description="Search" data-search-url="https://blogs.blackberry.com/en/search" type="text" placeholder="Search" name="search"/>
                <!-- no font awesome -->
                <button type="submit">
                  <svg aria-hidden="true" data-prefix="fa" data-icon="search" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" data-fa-i2svg="">
                    <path fill="currentColor" d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
                    </path>
                  </svg>
                </button>
              </form>
            </div>
          </div>
        </li>
        <li class="nav-item dropdown">
          <a class="nav-link dropdown-toggle contact-us">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512">
              <path fill="currentColor" d="M402.3 344.9l32-32c5-5 13.7-1.5 13.7 5.7V464c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V112c0-26.5 21.5-48 48-48h273.5c7.1 0 10.7 8.6 5.7 13.7l-32 32c-1.5 1.5-3.5 2.3-5.7 2.3H48v352h352V350.5c0-2.1.8-4.1 2.3-5.6zm156.6-201.8L296.3 405.7l-90.4 10c-26.2 2.9-48.5-19.2-45.6-45.6l10-90.4L432.9 17.1c22.9-22.9 59.9-22.9 82.7 0l43.2 43.2c22.9 22.9 22.9 60 .1 82.8zM460.1 174L402 115.9 216.2 301.8l-7.3 65.3 65.3-7.3L460.1 174zm64.8-79.7l-43.2-43.2c-4.1-4.1-10.8-4.1-14.8 0L436 82l58.1 58.1 30.9-30.9c4-4.2 4-10.8-.1-14.9z">
              </path>
            </svg>
          </a>
          <div class="dropdown-menu py-1 dropdown-menu-right" data-two-column-layout="false">
            <!--%simple dropdown%-->
            <div class="col-md-12 px-1">

              <ul role="menu" class="list-unstyled">
                <li role="none">
                  <a href="https://www.blackberry.com/us/en/forms/enterprise/register-for-updates#nav" target="_blank" rel="noopener" role="menuitem" class="dropdown-item ">Register for Updates</a>
                </li>
                <li role="none">
                  <a href="https://www.blackberry.com/us/en/forms/enterprise/contact-us#nav" target="_blank" rel="noopener" role="menuitem" class="dropdown-item">Contact Sales</a>
                </li>
                
                <li role="none">
                  <a href="https://www.blackberry.com/us/en/support/contact#nav" rel="noopener" target="_blank" role="menuitem" class="dropdown-item">Contact Us</a>
                </li>
              </ul>
            </div>

          </div>
        </li>
      </ul>
    </div>
  </nav>
</div>
<!-- END DO NOT INDEX -->



<!-- END DO NOT INDEX -->

    
    
    <div class="hero">

      <div class="jumbotron mastheadDefault">
        <div class="hero-container narrower" style="background-image: url( \2f content\2f dam\2f blackberry-com\2fImages\2fsupport\2f bgs\2f bnr-blue-gradient-crop.jpg)">
          
          <div class="mask  "></div>

          <div class="container headings  l-align">
            <div class="col-lg-12">
          		




    
    
    <div class="blog-name-title">

  <div class="cmp-title ">
  
  
   <!-- <span class="highlighted-text-title blogs">INSIDE</span>
   <span class="normal-text-title">BlackBerry Blog</span> -->
   <span class="normal-text-title">BlackBerry ThreatVector Blog</span>
  
  
  
</div>
</div>



          	</div>
          </div>
      </div>
    </div>
</div>



</header><main>
    




    
    
    <div class="section">
  <section class="section     ">
    
    <div class="container">
        




    
    
    
<ol class="breadcrumb">
    <li class="breadcrumb-item ">
        <a href="/en.html">BlackBerry ThreatVector Blog</a>
    </li>

    <li class="breadcrumb-item active">
        Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors
    </li>
</ol>

    


      
    </div>
  </section>
    

</div>


    
    
    <div class="blogsection">
    <section class="section     ">
      
      <div class="container sectionPadding py-0">
           
      <div class="col-md-9 col-lg-9 col-sm-12">
          




    
    
    <div class="cmp cmp-title blog-title row">
  

<div class="col-md-12 col-lg-12 col-sm-12">
<h1>Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors</h1>
</div>



    
</div>


    
    
    <div class="categorydateauthor"><!--Pulling author bio from author page-->
<div class="categorydateauthor">
<span><a title="ENDPOINT PROTECTION" href="/en/category/security/endpoint-protection">ENDPOINT PROTECTION</a> / </span><span class='publish-date'></span>06.04.20 / </span>

    <span class="author"><a href="/en/author/the-blackberry-research-and-intelligence-team">The BlackBerry Research &amp; Intelligence Team</a>, <a href="/en/author/kpmg-uk-cyber-response-services-team">KPMG’s UK Cyber Response Services Team</a></span>

</div></div>


    
    
    <div class="socialsharing">

<div class='socialSharing row'>
  <ul class='socialSharing-icons'>
    <li>
        <a href='https://twitter.com/intent/tweet?url=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors&text=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&via=BlackBerry' title="Share on Twitter" target="_blank" class="twitter-share">
        <span class='sr-only sr-only-focusable'>Share on Twitter</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--tw' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
        </span>
      </a>
    </li>    
    <li>
      <a href='https://www.facebook.com/sharer/sharer.php?u=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors' title="Share on FaceBook" target="_blank" class="facebook-share">
        <span class='sr-only sr-only-focusable'>Share on Facebook</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--fb' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 264 512"><path d="M76.7 512V283H0v-91h76.7v-71.7C76.7 42.4 124.3 0 193.8 0c33.3 0 61.9 2.5 70.2 3.6V85h-48.2c-37.8 0-45.1 18-45.1 44.3V192H256l-11.7 91h-73.6v229"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors&title=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&summary=&source=blogs.blackberry.com" title="Share on LinkedIn" target="_blank" class="linkedin-share">
        <span class='sr-only sr-only-focusable'>Share on Linked In</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448.1 512"><path d="M100.3 448H7.4V148.9h92.9V448zM53.8 108.1C24.1 108.1 0 83.5 0 53.8S24.1 0 53.8 0s53.8 24.1 53.8 53.8-24.1 54.3-53.8 54.3zM448 448h-92.7V302.4c0-34.7-.7-79.2-48.3-79.2-48.3 0-55.7 37.7-55.7 76.7V448h-92.8V148.9h89.1v40.8h1.3c12.4-23.5 42.7-48.3 87.9-48.3 94 0 111.3 61.9 111.3 142.3V448h-.1z"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="mailto:?subject=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&body=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors" title="Email" class="email-share">
        <span class='sr-only sr-only-focusable'>Email</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"/></svg>
        </span>
      </a>
    </li>    
  </ul>
</div>
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image.coreimg{.width}.png/1591284222620/ibb-875x530-tycoon-ransomware-060420.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-875x530-tycoon-ransomware-060420.png" data-asset-id="9d3977ea-ee34-4db7-b7f2-4784b25e2c1e" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/ibb-875x530-tycoon-ransomware-060420.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p><b>Overview</b></p>
<p>Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that has been observed in-the-wild since at least <a href="https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/page-2" target="_blank">December 2019</a><a href="#_ftn1" name="_ftnref1"><sup>[1]</sup></a>. It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.</p>
<p>The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom. However, due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants.</p>
<p><b>Delivery</b></p>
<p>The BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services recently unearthed a new ransomware strain written in Java. The ransomware was deployed in a targeted attack against an organization, where the system administrators had been locked out of their systems following an attack on their domain controller and file servers. After conducting forensic investigations of the infected systems, it became apparent that the initial intrusion occurred via an Internet-facing RDP jump-server.<br>
<br>
The following illustration demonstrates how the attackers managed to gain initial access and started infecting systems across the estate:</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_909143621.coreimg{.width}.png/1591284222635/fig1-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig1-tycoon.png" data-asset-id="d4e01ba8-c1f4-429e-96d4-c0b2849cf633" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig1-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 1: Attack timeline</i></p>
<p>Post-incident analysis of the Internet-facing RDP server could not be performed as it had already been restored. However, our analysis of the victim machines revealed that some of the techniques used by the attacker were unusual and noteworthy:</p>
<ul>
<li>To achieve persistence on the victim’s machine, the attackers had used a technique called <a href="https://attack.mitre.org/techniques/T1183/" target="_blank">Image File Execution Options (IFEO) injection</a><a href="https://attack.mitre.org/techniques/T1183/" name="_ftnref1" target="_blank"><sup>[2]</sup></a>. IFEO settings are stored in the Windows registry. These settings give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.<br>
<br>
</li>
<li>A backdoor was then executed alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system:<br>
&nbsp;</li>
</ul>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_393321895.coreimg{.width}.png/1591284222643/fig2-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig2-tycoon.png" data-asset-id="fad2e12f-9fce-4da7-97a1-2e6220596abf" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig2-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 2: Registry key used to execute the backdoor</i></p>
<ul>
<li>The attackers disabled the organization’s anti-malware solution with the use of the ProcessHacker utility and changed the passwords for Active Directory servers. This leaves the victim unable to access their systems.<br>
<br>
</li>
<li>Most of the attacker files were timestomped, including the Java libraries and the execution script, and had file date timestamps of 11th April 2020, 15:16:22:<br>
&nbsp;</li>
</ul>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_282242577.coreimg{.width}.png/1591284222652/fig3-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig3-tycoon.png" data-asset-id="d3db089c-6d42-4ede-9031-80a963905c01" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig3-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 3: File timestamp</i></p>
<p>Finally, the attackers executed the Java ransomware module, encrypting all file servers including backup systems that were connected to the network.</p>
<p><b>Execution</b></p>
<p>Tycoon ransomware comes in form of a ZIP archive containing a Trojanized Java Runtime Environment (JRE) build. The malware is compiled into a Java image file (JIMAGE) located at <i>lib\modules</i> within the build directory.</p>
<p>JIMAGE is a special file format that stores custom JRE images which is designed to be used by the Java Virtual Machine (JVM) at runtime. It encompasses resources and class files of all Java modules that support the specific JRE build. The format was first introduced in Java version 9 and is sparsely documented. Unlike the popular Java Archive format (JAR), JIMAGE is mostly internal to the JDK and rarely used by developers:<br />
 </p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_410345342.coreimg{.width}.png/1591284222661/fig4-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig4-tycoon.png" data-asset-id="095e957e-73a3-4f39-b1bb-046478c259bd" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig4-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 4: Malicious “modules” file; JIMAGE format uses a header starting with 0xDADAFECA signature</i></p>
<p>The OpenJDK9 <i>jimage</i> utility can extract and decompile Java image files:</p>
<table cellspacing="10" cellpadding="10" border="1">
<tbody><tr><td width="1200" valign="top"><i>$ ./jimage --help<br>
Usage: jimage &lt;extract|recreate|info|list|verify&gt; &lt;options&gt; jimage...</i></td>
</tr></tbody></table>
<p><br>
After extraction, the ransomware image contains three modules related to a project called &quot;tycoon&quot;:<br>
<br>
</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_862516025.coreimg{.width}.png/1591284222670/fig5-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig5-tycoon.png" data-asset-id="49b26660-435c-4d7b-98a8-7af18ba56b56" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig5-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 5: Contents of the ZIP archive (left) and structure of the decompiled Java modules JIMAGE (right)</i></p>
<p>The ransomware is triggered by executing a shell script that runs the Main function of the malicious Java module using the<i> java -m</i> command.</p>
<p>The malicious JRE build contains both Windows® and Linux® versions of this script, suggesting that the threat actors are also targeting Linux® servers:<br>
&nbsp;</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_1930363815.coreimg{.width}.png/1591284222679/fig6-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig6-tycoon.png" data-asset-id="e283afa7-c566-4e05-b4c6-608bda67a338" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig6-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 6: Shell scripts used to execute the ransomware, and Java “release” file</i></p>
<p><b>Configuration</b></p>
<p>The malware configuration is stored in the project’s <i>BuildConfig </i>file and includes information such as:<br>
</p>
<ul>
<li>The attacker’s email address</li>
<li>The RSA public key</li>
<li>The content of the ransom note</li>
<li>The exclusions list</li>
<li>The list of shell commands to be executed<br>
&nbsp;</li>
</ul>

    
    
</div>


    
    
    <div class="text">    
    
    <table width="601" cellspacing="0" cellpadding="10" border="1">
<tbody><tr><td width="170" valign="top" bgcolor="#ECECEC"><p><b>Value Name</b></p>
</td>
<td width="432" valign="top" bgcolor="#ECECEC"><p><b>Example Value</b></p>
</td>
</tr><tr><td width="170" valign="top"><p><b>EMAIL_1</b></p>
</td>
<td width="432" valign="top"><p>“dataissafe[at]protonmail[.]com”</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>EMAIL_2</b></p>
</td>
<td width="432" valign="top"><p>“dataissafe[at]mail[.]com”</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>FILE_EXTENSION</b></p>
</td>
<td width="432" valign="top"><p>“thanos”</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>PUBLIC_KEY</b></p>
</td>
<td width="432" valign="top"><p>“-----BEGIN PUBLIC KEY----- \nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa+whJSxr9ngcD1T5GmjDNSUEY\ngz5esbym<br>
vy4lE9g2M3PvVc9iLw9Ybe+NMqJwHB8FYCTled48mXQmCvRH2Vw3lPkA\nTrQ4zbVx0fgEsoxekqt<br>
b3GbK2NseXEeavCi5lo5/jXZi4Td7nlWTu27CluyxRSgv\nL0O19CwzvckTM91BKwIDAQAB\n<br>
-----END PUBLIC KEY-----”</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>NUMBER_OF_KEYS_PER_ROOT_PATH</b></p>
</td>
<td width="432" valign="top"><p>100</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>CHUNK_SIZE</b></p>
</td>
<td width="432" valign="top"><p>10485760L <i>(10 MB)</i></p>
</td>
</tr><tr><td width="170" valign="top"><p><b>ENCRYPTION_PATTERN</b></p>
</td>
<td width="432" valign="top"><p>true, true, false, false, false, true, true, false, false, false, false, false, false, false, false, false</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>HEADER</b></p>
</td>
<td width="432" valign="top"><p>0x68, 0x61, 0x70, 0x70, 0x79, 0x6E, 0x79, 0x33, 0x2E, 0x31 <i>(ASCII for “happyny3.1”)</i></p>
</td>
</tr><tr><td width="170" valign="top"><p><b>DIR_BLACKLIST</b></p>
</td>
<td width="432" valign="top"><p>&quot;Windows&quot;, &quot;Boot&quot;, &quot;System Volume Information&quot;, &quot;Program Files\\Common Files\\Microsoft Shared&quot;, &quot;Program Files\\Common Files\\System&quot;, &quot;Program Files\\Common Files\\Services&quot;, &quot;Program Files\\Common Files\\SpeechEngines&quot;, &quot;Program Files (x86)\\Common Files\\microsoft shared&quot;, &quot;Program Files (x86)\\Common Files\\System&quot;, &quot;Program Files (x86)\\Common Files\\Services&quot;, &quot;Program Files (x86)\\Common Files\\SpeechEngines&quot;, &quot;Program Files\\Internet Explorer&quot;, &quot;Program Files\\Internet Explorer&quot;, &quot;Program Files\\Windows Mail&quot;, &quot;Program Files\\Windows Media Player&quot;, &quot;Program Files\\Windows Photo Viewer&quot;, &quot;Program Files\\Windows Sidebar&quot;, &quot;Program Files\\DVD Maker&quot;, &quot;Program Files\\MSBuild&quot;, &quot;Program Files\\Reference Assemblies&quot;, &quot;Program Files\\Windows Defender&quot;, &quot;Program Files\\Windows NT&quot;, &quot;Program Files (x86)\\Internet Explorer&quot;, &quot;Program Files (x86)\\Windows Mail&quot;, &quot;Program Files (x86)\\Windows Media Player&quot;, &quot;Program Files (x86)\\Windows Photo Viewer&quot;, &quot;Program Files (x86)\\Windows Sidebar&quot;, &quot;Program Files (x86)\\MSBuild&quot;, &quot;Program Files (x86)\\Reference Assemblies&quot;, &quot;Program Files (x86)\\Windows Defender&quot;,&nbsp; &quot;Program Files (x86)\\Windows NT&quot;, &quot;ProgramData\\Microsoft&quot;, &quot;Users\\All Users&quot;</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>EXTENSION_BLACKLIST</b></p>
</td>
<td width="432" valign="top"><p>&quot;mui&quot;, &quot;exe&quot;, &quot;dll&quot;, &quot;lolz&quot;</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>FILE_BLACKLIST</b></p>
</td>
<td width="432" valign="top"><p>&quot;decryption.txt&quot;, &quot;$Mft&quot;, &quot;$Mft (NTFS Master File Table)&quot;, &quot;$MftMirr&quot;, &quot;$LogFile&quot;, &quot;$LogFile (NTFS Volume Log)&quot;, &quot;$Volume&quot;, &quot;$AttrDef&quot;, &quot;$Bitmap&quot;, &quot;$BitMap&quot;, &quot;$BitMap (NTFS Free Space Map)&quot;, &quot;$Boot&quot;, &quot;$BadClus&quot;, &quot;$Secure&quot;, &quot;$Upcase&quot;, &quot;$Extend&quot;, &quot;$Quota&quot;, &quot;$ObjId&quot;, &quot;$Reparse&quot;, &quot;$Extend&quot;, &quot;bootmgr&quot;, &quot;BOOTSECT.BAK&quot;, &quot;pagefile.sys&quot;, &quot;pagefile.sys (Page File)&quot;, &quot;boot.ini&quot;, &quot;bootfont.bin&quot;, &quot;io.sys&quot;</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>EXEC_COMMANDS</b></p>
</td>
<td width="432" valign="top"><p>&quot;vssadmin delete shadows /all /quiet&quot;, &quot;wmic shadowcopy delete&quot;, &quot;bcdedit /set {default} bootstatuspolicy ignoreallfailures&quot;, &quot;bcdedit /set {default} recoveryenabled no&quot;, &quot;wbadmin delete catalog -quiet&quot;, &quot;netsh advfirewall set currentprofile state off&quot;, &quot;netsh firewall set opmode mode=disable&quot;</p>
</td>
</tr><tr><td width="170" valign="top"><p><b>TXT</b></p>
</td>
<td width="432" valign="top"><p><i>content of the ransom note (see IOCs)</i></p>
</td>
</tr></tbody></table>
<p style="text-align: center;"><i>Figure 7: Example configuration values<br>
 &nbsp;</i></p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_1329843478.coreimg{.width}.png/1591284222692/fig8-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig8-tycoon.png" data-asset-id="a32bd9fd-5df6-43ac-9ce1-d37f22295802" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig8-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 8: A fragment of BuildConfig file</i></p>
<p><b>Behavior</b></p>
<p>Upon execution the malware will run a set of shell commands specified in the <i>BuildConfig</i> file:<br>
&nbsp;</p>
<table cellspacing="0" cellpadding="10" border="1">
<tbody><tr><td width="1200" valign="top"><i>vssadmin delete shadows /all /quiet<br>
 wmic shadowcopy delete<br>
 bcdedit /set {default} bootstatuspolicy ignoreallfailures<br>
 bcdedit /set {default} recoveryenabled no<br>
 wbadmin delete catalog -quiet<br>
 netsh advfirewall set currentprofile state off<br>
 netsh firewall set opmode mode=disable</i></td>
</tr></tbody></table>
<p><br>
An <i>install_id</i> value will be generated for each victim using the first four bytes from a SHA256 hash of the system UUID value. To obtain the UUID the malware executes the following wmic command:</p>
<table cellspacing="0" cellpadding="10" border="1">
<tbody><tr><td width="1200" valign="top"><p><i>wmic csproduct get UUID</i></p>
</td>
</tr></tbody></table>
<p><br>
The list of paths to encrypt can be passed as parameter; alternatively, the malware will generate a list of all root paths in the system. A separate encryption thread will be created for each item in the path list.</p>
<p>After the encryption process is completed, the malware will ensure that the files are not recoverable by overwriting deleted files in each encryption path. It uses an embedded Windows utility called <i>cipher.exe</i> for this task:<br>
<br>
</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_1173290639.coreimg{.width}.png/1591284222701/fig9-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig9-tycoon.png" data-asset-id="aa9ef7b0-256d-40a0-9c47-a6d4cd8ab1a0" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig9-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 9: Secure deletion of original files</i></p>
<p><b>File Encryption</b></p>
<p>The files are encrypted using an AES-256 algorithm in <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode" target="_blank">Galois/Counter (GCM) mode<sup>[3]</sup></a> with a 16-byte long GCM authentication tag, which ensures data integrity. A 12-byte long initialization vector (IV) is generated for each encryption chunk using the <i>java.security.SecureRandom</i> function. The encryption chunk size is specified in <i>BuildConfig</i> and is set to 10 MB while a pattern setting specifies the pattern in which file chunks are to be processed. By skipping parts of the bigger files, the attackers speed up the encryption process while damaging the files and making them unusable.</p>
<p>For each encryption path, an array of AES-256 keys is generated using <i>java.security.Secure.Random</i> function. The maximum number of keys per path is set in<i> BuildConfig </i>and may differ between samples. Each file (or file chunk, in case of files bigger than the chunk size) is encrypted with a different AES key, then encrypted with the attacker’s RSA-1024 public key and saved in the chunk metadata block:<br>
&nbsp;</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_2069502252.coreimg{.width}.png/1591284222710/fig10-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig10-tycoon.png" data-asset-id="51fe723e-cbe1-41de-ad80-3dfc76c4597d" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig10-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 10: AES key generation</i></p>
<p>The metadata added to each encrypted chunk contains the following:</p>
<ul>
<li>Header value specified in <i>BuildConfig</i></li>
<li>Chunk index (8 bytes)</li>
<li>Chunk size (8 bytes)</li>
<li>Per-chunk generated AES IV (12 bytes)</li>
<li>AES GCM tag (16 bytes)</li>
<li>RSA-encrypted AES key scheme (128 bytes), containing:<br>
&nbsp;&nbsp; o&nbsp;&nbsp; Victim ID (4 bytes)<br>
&nbsp;&nbsp; o&nbsp;&nbsp; AES key (32 bytes)<br>
&nbsp;&nbsp; o&nbsp;&nbsp; SHA512 hash of victim ID and AES key (64 bytes)<br>
&nbsp;</li>
</ul>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_704601238.coreimg{.width}.png/1591284222719/fig11-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig11-tycoon.png" data-asset-id="c4c61a49-c702-4126-979d-b3dccd718497" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig11-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 11: Encrypted file with highlighted metadata</i></p>
<p>Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker's private RSA key. Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power.</p>
<p>However, one of the victims seeking help on the <a href="https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/page-2" target="_blank">BleepingComputer forum</a><a href="#_ftn1" name="_ftnref1"><sup>[4]</sup></a> posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the<i> .redrum </i>extension to the encrypted files:<br>
&nbsp;</p>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_1883394668.coreimg{.width}.png/1591284222728/fig12-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig12-tycoon.png" data-asset-id="6c9512b4-c3cf-4fa3-a89e-7cb4fb6454cf" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig12-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <div style="text-align: center;"><i>Figure 12: Decrypted AES key metadata: install_id (red), AES key (green), sha512 hash (blue)<br>
&nbsp;</i></div>

    
    
</div>


    
    
    <div class="image">
  <div data-cmp-is="image" data-cmp-src="/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors/_jcr_content/main/par/sectionblog/par/image_2021581987.coreimg{.width}.png/1591284222737/fig13-tycoon.png" data-asset="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig13-tycoon.png" data-asset-id="cfd9291c-bd25-4bff-b9fa-7fa05b129efd" class="cmp-image" itemscope itemtype="http://schema.org/ImageObject">
 
     
         
         <!--/*Figure and figcaption elements added by Zahid*/>-->
          
         <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/fig13-tycoon.png" class="cmp-image__image" itemprop="contentUrl" data-cmp-hook-image="image" alt/>
         
         <figcaption class="figure-caption" styles="display:table-caption;caption-side:bottom;"></figcaption>
          
     
 
 
 
</div>

    
</div>


    
    
    <div class="text">    
    
    <p style="text-align: center;"><i>Figure 13: Recovering a .redrum file with the use of decrypted AES key</i></p>
<p>Unfortunately, it doesn't work for the more recent “happyny3.1” version that adds the .grinch and .thanos extensions to the encrypted files.</p>
<p><b>Conclusions</b></p>
<p>Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.</p>
<p>Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments.</p>
<p>The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware.<b><br>
<br>
Indicators of Compromise (IOCs)</b></p>
<p><b>JIMAGE module (lib\modules):<br>
</b>eddc43ee369594ac8b0a8a0eab6960dba8d58c0b499a51a717667f05572617fb<br>
<b><br>
Email Addresses:</b></p>
<ul>
<li>pay4dec[at]cock[.]lu</li>
<li>dataissafe[at]protonmail[.]com</li>
<li>dataissafe[at]mail[.]com</li>
<li>foxbit[at]tutanota[.]com</li>
<li>moncler[at]tutamail[.]com</li>
<li>moncler[at]cock[.]li</li>
<li>relaxmate[at]protonmail[.]com</li>
<li>crocodelux[at]mail[.]ru</li>
<li>savecopy[at]cock[.]li</li>
<li>bazooka[at]cock[.]li</li>
<li>funtik[at]tutamail[.]com</li>
<li>proff-mariarti[at]protonmail[.]com</li>
</ul>
<p><b>Encrypted Files Extension:</b></p>
<ul>
<li>thanos</li>
<li>grinch<b></b></li>
<li>redrum</li>
</ul>
<p><b>Encrypted Files Signature:</b></p>
<ul>
<li>happyny3.1</li>
<li>redrum3_0</li>
</ul>
<p><b>RSA Public Key (happyny3.1 version):</b></p>
<p>-----BEGIN PUBLIC KEY-----<br>
<br>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa+whJSxr9ngcD1T5GmjDNSUEY<br>
gz5esbymvy4lE9g2M3PvVc9iLw9Ybe+NMqJwHB8FYCTled48mXQmCvRH2Vw3lPkA<br>
TrQ4zbVx0fgEsoxekqtb3GbK2NseXEeavCi5lo5/jXZi4Td7nlWTu27CluyxRSgv<br>
L0O19CwzvckTM91BKwIDAQAB</p>
<p>-----END PUBLIC KEY-----</p>
<p><b>RSA Private Key (redrum3_0 version):</b></p>
<p>-----BEGIN RSA PRIVATE KEY-----</p>
<p>MIICXQIBAAKBgQCyNELzNaPcGBlt2YEARamc+a+uyM8/mRadrMLLQ9tuzkppvdWI<br>
iM/LH+xATZUgByknwzaMtRQZi6R2pQ8nBG6DxNtdhla33L+njQLTW+7wo1tSaaJz<br>
6Of0FvCUZNPZ0mF5OrJO+Z6ZfDxafcwv653Ii7aTwaKlhjFoZijBMrA43wIDAQAB<br>
AoGAPJ+I0yJBX0OXiwY+W3BXdj5+5LANyS30QqmeDvZDtRtat0RMW0lnn0t53JpI<br>
DABDoPJJIW8MqnAWAALA994LFhk9jUtJTUgwsViyKL/Q/dOCeBPJU3xyXNkqhmCN<br>
ImP4v7DxjvWp1pomrIIRCW68GkbB+cSGyLAzUo+1KHVh6LECQQDdL26UsVNsNYTX<br>
rfv6BZItGO1HJHYTiz0cI82n4woZY2fS2lpBDEvy3Rl8E4Y7F9tQby4odDLHi/9l<br>
RCeoif45AkEAzkDsPGauMmWsPXAbXrjzq3/0+MWgh7Vd8Gpgn83QUYjTO2RxtE1n<br>
zAYzTLrFFtM8zmCAubpKM1dyi4Xs7hlv1wJBAJD5ofV8NT3b5nKn61z5gdJlYEEd<br>
OPeecDOdlBLS0a/KZCbkT/wK300UdrvI4FajUHDsLsj9QLtim8f4YDYsHKECQQCX<br>
R40+XD3mnyZvRbv9hQDMyKSglyvAfimxvgSzEZ17QDVWubygd6nrPpz/6XnH3RYb<br>
dTLVhysHb1uHtKpslWGvAkAf0kivk9miSFnVeoO1XZumRAwrhTh6Rxhkg6MJCLBP<br>
ThoY7wYXmV9zNPo02xYTvZlyhwnWspz4Kx4LsUutWmBs</p>
<p>-----END RSA PRIVATE KEY-----<br>
</p>

    
    
</div>


    
    
    <div class="text">    
    
    <p><span><b>Ransom Note:</b></span></p>
<table class="MsoTableGrid" style="border-collapse: collapse; border: none;" cellspacing="0" cellpadding="10" border="1">
<tbody><tr><td style="width: 451.0pt; border: solid windowtext 1.0pt; padding: 0.0in 5.4pt 0.0in 5.4pt;" width="601" valign="top"><p class="MsoNormal" style="margin-top: 6.0pt;"><span>Hello!</span></p>
<p class="MsoNormal"><span>All your documents, photos, databases and other important files have been ENCRYPTED! Do you really interested to restore your files?</span></p>
<p class="MsoNormal"><span>If so, you must buy decipher software and private key to unlock your data!<br>
 Write to our email -<b> <span style="color: red;">%s</span></b> and tell us your unique <b><span style="color: red;">%s</span></b><br>
 We will send you full instruction how to decrypt all your files.<br>
 In case of no answer in 24 hours write us on additional e-mail address - <b><span style="color: red;">%s</span></b></span></p>
<p class="MsoNormal"><span>========================================================================================================================<span><br>
 </span>FAQ FOR DECRYPTION YOUR FILES:<br>
 ========================================================================================================================</span></p>
<p class="MsoNormal"><span>* WHATS HAPPENED ??? &nbsp;</span></p>
<p class="MsoNormal"><span>Your files are NOT DAMAGED! Your files have been modified and encrypted with strong cipher algorithm. This modification is reversible. The only way to decrypt your files is to purchase the decipher software and private key. Any attempts to restore your files with the third-party software will be fatal for your files, because would damage data essential for decryption !</span></p>
<p class="MsoNormal"><span>Note !!! You have only 24 hours to write us on e-mail or all your files will be lost or the decryption price will be &quot;increased!&quot;</span></p>
<p class="MsoNormal"><span>====================================================================================<br>
 ====================================</span></p>
<p class="MsoNormal"><span>&nbsp;* HOW TO RECOVERY MY FILES ???</span></p>
<p class="MsoNormal"><span>You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decipher software and private key that will decrypt all your files.</span></p>
<p class="MsoNormal"><span>========================================================================================================================</span></p>
<p class="MsoNormal"><span>* FREE DECRYPTION !!!</span></p>
<p class="MsoNormal"><span>Free decryption as guarantee! If you don't believe in our service and you want to see a proof, you can ask us about test&quot; for decryption. You send us up to 5 modified files. Use file-sharing service and Win-Rar to send files for test. Files have to be less than 1 MB (non archived). Files should not be important! Don't send us databases, backups, large excel files, etc.<span>&nbsp; </span>We will decrypt and send you your decrypted files back as a proof!&quot;</span></p>
<p class="MsoNormal"><span>========================================================================================================================</span></p>
<p class="MsoNormal"><span>* WHY DO I NEED A TEST???</span></p>
<p class="MsoNormal"><span>This is done so that you can make sure that only we can decrypt your files and that there will be no problems with the decryption!</span></p>
<p class="MsoNormal"><span>========================================================================================================================</span></p>
<p class="MsoNormal"><span>* HOW TO BUY BITCOINS ???</span></p>
<p class="MsoNormal"><span>There are two simple ways to by bitcoins:<br>
 https://exmo.me/en/support#/1_3<br>
 https://localbitcoins.net/guides/how-to-buy-bitcoins</span></p>
<p class="MsoNormal"><span>Read this information carefully because it's enough to purchase even in large amounts</span></p>
<p class="MsoNormal"><span>========================================================================================================================</span></p>
<p class="MsoNormal"><span>&nbsp;!!! ATTENTION !!!</span></p>
<p class="MsoNormal" style="margin-bottom: 6.0pt;"><span>!!! After 60 hours the price for your encryption will increase 10 percent each day<br>
 !!! Do not rename encrypted files.<br>
 !!! Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>
 !!! Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</span></p>
</td>
</tr></tbody></table>

    
    
</div>


    
    
    <div class="text">    
    
    <p><br>
<b>Citations:</b><br>
</p>
<p><i><sup>[1]</sup> <a href="https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/" target="_blank">https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/</a><br>
 <sup>[2] </sup><a href="https://attack.mitre.org/techniques/T1183/" target="_blank">https://attack.mitre.org/techniques/T1183/</a><br>
 <sup>[3]</sup> <a href="https://en.wikipedia.org/wiki/Galois/Counter_Mode" target="_blank">https://en.wikipedia.org/wiki/Galois/Counter_Mode</a><br>
 <sup>[4]</sup> <a href="https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/page-2" target="_blank">https://www.bleepingcomputer.com/forums/t/709143/help-me-to-identify-ransomware-with-redrum-extension/page-2</a><br>
 &nbsp;</i></p>

    
    
</div>


    
    
    <div class="authorblog"><!--Pulling author bio from author page-->

    
    
        
  



<div class="author-info" data-author-name="The BlackBerry Research &amp; Intelligence Team" data-author-path="https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors">
  <div class="author-avatar">
    
    <img src="/content/dam/blogs-blackberry-com/images/authors/blackberry-logo-square.jpg" class="author-avatar" alt="The BlackBerry Research &amp; Intelligence Team"/>				
    
  </div><!-- .author-avatar -->
  <div class="author-description">
      
    
    <h2>About The BlackBerry Research &amp; Intelligence Team</h2>
    <p>The BlackBerry Research &amp; Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.</p>

  </div><!-- .author-description	-->
</div>
<hr class="author-hr"/>
    
        
  



<div class="author-info" data-author-name="KPMG’s UK Cyber Response Services Team" data-author-path="https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors">
  <div class="author-avatar">
    
    <img src="/content/dam/blogs-blackberry-com/images/blogs/2020/06/kpmg_logo_140x140.png" class="author-avatar" alt="KPMG’s UK Cyber Response Services Team"/>				
    
  </div><!-- .author-avatar -->
  <div class="author-description">
      
    
    <h2>About KPMG’s UK Cyber Response Services Team</h2>
    <p>KPMG’s UK Cyber Response Services Team provides incident response, forensic investigations, and crisis management services across corporate, insurance and legal service sectors. KPMG has over 3,500 cyber professionals in offices around the globe with cyber response labs across 12 major regions. Our professionals have experience working on various forms of cybercrime, including insider threats, data breaches, hacktivism, and advanced persistent threat-style intrusions by highly motivated adversaries.<br />
<br />
Our services include on-demand incident response readiness and response, host and enterprise-based forensics, network forensics, threat intelligence, and SOC enhancement.<br />
<br />
For further information, please visit <a href="https://home.kpmg/uk/en/home/services/advisory/risk-consulting/technology-risk/cyber-security.html" target="_blank">kpmg.co.uk/cyber</a> or email cyber[at]kpmg.co.uk.<br />
</p>

  </div><!-- .author-description	-->
</div>
<hr class="author-hr"/>
    
</div>


    
    
    <div class="socialsharing">

<div class='socialSharing row'>
  <ul class='socialSharing-icons'>
    <li>
        <a href='https://twitter.com/intent/tweet?url=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors&text=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&via=BlackBerry' title="Share on Twitter" target="_blank" class="twitter-share">
        <span class='sr-only sr-only-focusable'>Share on Twitter</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--tw' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
        </span>
      </a>
    </li>    
    <li>
      <a href='https://www.facebook.com/sharer/sharer.php?u=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors' title="Share on FaceBook" target="_blank" class="facebook-share">
        <span class='sr-only sr-only-focusable'>Share on Facebook</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--fb' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 264 512"><path d="M76.7 512V283H0v-91h76.7v-71.7C76.7 42.4 124.3 0 193.8 0c33.3 0 61.9 2.5 70.2 3.6V85h-48.2c-37.8 0-45.1 18-45.1 44.3V192H256l-11.7 91h-73.6v229"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors&title=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&summary=&source=blogs.blackberry.com" title="Share on LinkedIn" target="_blank" class="linkedin-share">
        <span class='sr-only sr-only-focusable'>Share on Linked In</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448.1 512"><path d="M100.3 448H7.4V148.9h92.9V448zM53.8 108.1C24.1 108.1 0 83.5 0 53.8S24.1 0 53.8 0s53.8 24.1 53.8 53.8-24.1 54.3-53.8 54.3zM448 448h-92.7V302.4c0-34.7-.7-79.2-48.3-79.2-48.3 0-55.7 37.7-55.7 76.7V448h-92.8V148.9h89.1v40.8h1.3c12.4-23.5 42.7-48.3 87.9-48.3 94 0 111.3 61.9 111.3 142.3V448h-.1z"/></svg>
        </span>
      </a>
    </li>
    <li>
      <a href="mailto:?subject=Threat%20Spotlight:%20Tycoon%20Ransomware%20Targets%20Education%20and%20Software%20Sectors&body=https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors" title="Email" class="email-share">
        <span class='sr-only sr-only-focusable'>Email</span>
        <span class='svgIcon-socialSharing svgIcon-socialSharing--li' aria-hidden='true'>
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"/></svg>
        </span>
      </a>
    </li>    
  </ul>
</div>
</div>


    
    
    <div class="backbutton">
<a href="javascript:history.back()" class="cta cta-primary btn-back-button">Back</a></div>



      </div>
      
          
      </div>
    </section>
      
  
  
</div>



</main>

<!-- BEGIN DO NOT INDEX -->
<footer>
    <div class="container pt-2">
    <nav id='footerNav'>
        <div>
            <div class="row my-4">
                <div class='socialLinks col-lg-4 col-md-4 col-sm-12 pb-3'>
                    <a href='https://www.facebook.com/BlackBerry/' class='socialLink px-3 pl-0' target="_blank" rel="noopener" style="padding-left:0 !important;">
                      <span class='sr-only' aria-label="BlackBerry Facebook Account">Facebook</span>
                      <span class='svgIcon-social fb' aria-hidden="true">
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M448 56.7v398.5c0 13.7-11.1 24.7-24.7 24.7H309.1V306.5h58.2l8.7-67.6h-67v-43.2c0-19.6 5.4-32.9 33.5-32.9h35.8v-60.5c-6.2-.8-27.4-2.7-52.2-2.7-51.6 0-87 31.5-87 89.4v49.9h-58.4v67.6h58.4V480H24.7C11.1 480 0 468.9 0 455.3V56.7C0 43.1 11.1 32 24.7 32h398.5c13.7 0 24.8 11.1 24.8 24.7z"/>
                        </svg>
                      </span>
                    </a>
                    <a href='https://twitter.com/blackberry' target="_blank" class='socialLink px-3 ' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry Twitter Account">Twitter</span>
                      <span class='svgIcon-social tw'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
                      </span>
                    </a>
                    <a href='https://www.youtube.com/user/BlackBerry' target="_blank" class='socialLink px-3' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry YouTube Account">YouTube</span>
                      <span class='svgIcon-social yt'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><path d="M549.655 124.083c-6.281-23.65-24.787-42.276-48.284-48.597C458.781 64 288 64 288 64S117.22 64 74.629 75.486c-23.497 6.322-42.003 24.947-48.284 48.597-11.412 42.867-11.412 132.305-11.412 132.305s0 89.438 11.412 132.305c6.281 23.65 24.787 41.5 48.284 47.821C117.22 448 288 448 288 448s170.78 0 213.371-11.486c23.497-6.321 42.003-24.171 48.284-47.821 11.412-42.867 11.412-132.305 11.412-132.305s0-89.438-11.412-132.305zm-317.51 213.508V175.185l142.739 81.205-142.739 81.201z"/></svg>
                      </span>                      
                    </a>
                    <a href='https://www.instagram.com/blackberry/' target="_blank" class='socialLink youTube px-3' rel="noopener">
                      <span class='sr-only' aria-label="BlackBerry Instagram Account">Instagram</span>
                      <span class='svgIcon-social ig'>
                        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M224.1 141c-63.6 0-114.9 51.3-114.9 114.9s51.3 114.9 114.9 114.9S339 319.5 339 255.9 287.7 141 224.1 141zm0 189.6c-41.1 0-74.7-33.5-74.7-74.7s33.5-74.7 74.7-74.7 74.7 33.5 74.7 74.7-33.6 74.7-74.7 74.7zm146.4-194.3c0 14.9-12 26.8-26.8 26.8-14.9 0-26.8-12-26.8-26.8s12-26.8 26.8-26.8 26.8 12 26.8 26.8zm76.1 27.2c-1.7-35.9-9.9-67.7-36.2-93.9-26.2-26.2-58-34.4-93.9-36.2-37-2.1-147.9-2.1-184.9 0-35.8 1.7-67.6 9.9-93.9 36.1s-34.4 58-36.2 93.9c-2.1 37-2.1 147.9 0 184.9 1.7 35.9 9.9 67.7 36.2 93.9s58 34.4 93.9 36.2c37 2.1 147.9 2.1 184.9 0 35.9-1.7 67.7-9.9 93.9-36.2 26.2-26.2 34.4-58 36.2-93.9 2.1-37 2.1-147.8 0-184.8zM398.8 388c-7.8 19.6-22.9 34.7-42.6 42.6-29.5 11.7-99.5 9-132.1 9s-102.7 2.6-132.1-9c-19.6-7.8-34.7-22.9-42.6-42.6-11.7-29.5-9-99.5-9-132.1s-2.6-102.7 9-132.1c7.8-19.6 22.9-34.7 42.6-42.6 29.5-11.7 99.5-9 132.1-9s102.7-2.6 132.1 9c19.6 7.8 34.7 22.9 42.6 42.6 11.7 29.5 9 99.5 9 132.1s2.7 102.7-9 132.1z"/></svg>
                      </span>                        
                    </a>
                                 
                  </div>
                
<!--                  <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="true">-->
<!--                    <a href="https://www.blackberry.com/us/en/forms/enterprise/contact-us" target="_blank" style="color:black; font-size: 16px;">Contact Us</a>-->
<!--                  </div>-->
<!--                <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="false">-->
<!--                    <a href="https://www.blackberry.com/ja/jp/forms/enterprise/contact-us" target="_blank" style="color:black; font-size: 16px;">Contact Us</a>-->
<!--                </div>-->
<!--                  <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="true">-->
<!--                    <a href="https://www.blackberry.com/us/en/support" target="_blank" style="color: black; font-size: 16px;">Support</a>-->
<!--                  </div>-->
<!--                <div class="col-lg-4  col-md-4 col-sm-12 pb-3" data-sly-test="false">-->
<!--                    <a href="https://www.blackberry.com/ja/jp/support/overview" target="_blank" style="color: black; font-size: 16px;">Support</a>-->
<!--                </div>-->
            </div>
            <hr/>
            <div class='row mt-5'>
               <!--/% <div class='col-xs-12 col-md-3'>
                   
                    <sly data-sly-list.col1="">
                        
                          <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse1" aria-expanded="false" aria-controls="collapse1">
                          	<h3>
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span> 
                            </h3>
                          </a>
                          
                        <sly data-sly-list.children="">
                        	<div class="collapse in" id="collapse1">
                            <ul data-sly-list.leveltwo="">
                                <li>
                                    <sly data-sly-use.navLink="Footer">
                                        <sly data-sly-test="">
                                            <a href="" data-sly-attribute.target=""></a>
                                        </sly>
                                        <sly data-sly-test="true">
                                            <a href="" data-sly-attribute.target="" rel="noopener"></a>
                                        </sly>
                                    </sly>
                                </li>
                            </ul>
                            </div>
                        </sly>
                    </sly>
                </div>
%/-->
                <div class='col-xs-12 col-md-4'>
                    <!--Col-2-->
                    
                        <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse21" aria-expanded="false" aria-controls="collapse21">
                        	<h3>Corporate
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse21">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company" rel="noopener" target="_blank">Company</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/newsroom" target="_blank">Newsroom</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/investors" target="_blank">Investors</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company/careers" rel="noopener" target="_blank">Careers</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/leadership" target="_blank">Leadership</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/company/corporate-responsibility-at-blackberry" target="_blank">Corporate Responsibility</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/company/certifications" rel="noopener" target="_blank">Certifications</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.blackberry.com/us/en/success-stories" rel="noopener" target="_blank">Customer Success</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                </div>

                <div class='col-xs-12 col-md-4'>
                    <!--Col-3-->
                    
                    	<a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse31" aria-expanded="false" aria-controls="collapse31">
                        	<h3>Developers
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse31">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://developers.blackberry.com/" rel="noopener" target="_blank">Enterprise Platform &amp; Apps</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://www.qnx.com/account/login.html?returnaddress=%2Fdownload%2Fgroup.html%3Fprogramid%3D29178" rel="noopener" target="_blank">BlackBerry QNX Developer Network</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                    	<a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse32" aria-expanded="false" aria-controls="collapse32">
                        	<h3>Blogs
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse32">
                            <ul>
                                <li>
                                    
                                        
                                        
                                            <a href="https://blogs.blackberry.com/" rel="noopener">BlackBerry ThreatVector Blog</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://devblog.blackberry.com/" rel="noopener" target="_blank">Developers Blog</a>
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                        
                                            <a href="https://helpblog.blackberry.com/" rel="noopener" target="_blank">Help Blog</a>
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
                </div>

                <div class='col-xs-12 col-md-4'>
                    <!--Col-4-->
                    
                        <a class="footerCollapse" role="button" data-toggle="collapse" href="#collapse41" aria-expanded="false" aria-controls="collapse41">
                        	<h3>Legal
                              <span class='open'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z"/></svg>
                              </span>
                              <span class='closed'>
                                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z"/></svg>
                              </span>
                            </h3>
                        </a>
                        
                        	<div class="collapse in" id="collapse41">
                            <ul>
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal" target="_blank">Overview</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/accessibility" target="_blank">Accessibility</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/blackberry-virtual-patent-marking" target="_blank">Patents</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/trademarks" target="_blank">Trademarks</a>
                                        
                                        
                                    
                                </li>
                            
                                <li>
                                    
                                        
                                            <a href="https://www.blackberry.com/us/en/legal/privacy-policy" target="_blank">Privacy Policy</a>
                                        
                                        
                                    
                                </li>
                            </ul>
                            </div>
                        
                    
            </div>
            </div>
        </div>
        <div class='container'>
            <div class='row tm10' style="padding-top: 50px">
                <div class='col-xs-12 col-md-6 copyright' copyright>
                    <p>
                        © 2020 BlackBerry Limited. All rights reserved.
                    </p>
                </div>
              
                
            </div>
        </div>

    </nav>
    </div>
</footer>
<!-- END DO NOT INDEX -->
            
    
    
    
    
<script src="/etc.clientlibs/shared/clientlibs/jquery.min.js"></script>
<script src="/etc.clientlibs/qnxv2/clientlibs/shared/clientlibs/jquery.min.js"></script>
<script src="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-dependencies.min.js"></script>





    
    
<script src="/etc.clientlibs/blogs-bbcom/clientlibs/clientlib-site.min.js"></script>




    

    

    

            

            <!-- Cookie compliance -->
<div id="cookieNotice" role="region" aria-label="Cookie Consent Agreement" class="cookieNotice container animated" style="height: auto; display: none">

  <div class="noticeWrapper row col-lg-8 col-md-8 col-sm-12 mx-auto">
    <a role="button" id="close">
      <img alt="Close Button" src="/content/dam/blackberry-com/Images/icons/close.png"/>
    </a>
    <p class="col-lg-12 col-md-12 col-sm-12">
        BlackBerry uses cookies to help make our website better. Some of the cookies are necessary for proper
            functioning of the site, while others are to help us understand how you use it. <a title="BlackBerry Privacy Policy" href="https://www.blackberry.com/us/en/legal/privacy-policy">Read more here</a> about our cookies, and how you can
            opt out. By continuing to use this site you accept our use of cookies.
    </p>
  </div>
</div>
<script>
  $(document).ready(function () {
    var cookieNotice = $("#cookieNotice");
    var left = parseInt($(window).width()) / 2 - ((parseInt(cookieNotice.width()) / 2) + 31);

    if ($(window).width() > 768) {
      cookieNotice.css({ 'left': (left + 'px') });
    }


    function openConsent() {
      cookieNotice.addClass("slideInUp");
      cookieNotice.css('display', 'block');
    }

    function closeConsent() {
      cookieNotice.removeClass("slideInUp");
      cookieNotice.removeClass("animated");
      cookieNotice.addClass("fadeOut animated");
      cookieNotice.css('display', 'none');
    }

    $("#close").click(function () {
      closeConsent();
      var d = new Date();
      d.setTime(d.getTime() + (365 * 24 * 60 * 60 * 1000)); //1 year
      var expires = "expires=" + d.toUTCString();
      //var expires = window.navigator.userAgent.indexOf('MSIE') == -1 ? ' expires=0;' : ''; //Session
      if (navigator.userAgent.indexOf("Chrome") != -1) {
        document.cookie = 'cookieConsentClosed' + '=true;' + expires + ';path=/';
      }
      else {
        document.cookie = 'cookieConsentClosed' + '=true;' + expires + ';path=/;domain=.blackberry.com';
      }

    });

    var x = document.cookie;
    if (!(x.indexOf("cookieConsentClosed=true") > -1)) {
      setTimeout(function () {
        openConsent();
      }, 2000);

    }
  });

</script>
<style>
  .noticeWrapper {
    padding-top: 21px;
    font-size: 13px;
    text-align: center;
    background-color: white;
    border-right: 1px solid black;
    border-top: 1px solid black;
    border-left: 1px solid black;
    border-radius: 8px 8px 0px 0px;
    -moz-border-radius: 8px 8px 0px 0px;
    -webkit-border-radius: 8px 8px 0px 0px;
  }

  .cookieNotice p {
    font-size: 13px;
    line-height: 1.5;
    text-align: initial;
    margin-bottom: 21px;
  }

  .cookieNotice p a { 
    font-size: 13px;
    line-height: 1.5;
    text-align: initial;
  }

  .cookieNotice p a:hover {
    text-decoration: underline !important;
  }

  #close {
    position: absolute;

    top: -10px;
    right: -10px;
  }

  @media only screen and (max-width: 768px) {
    #close {
      border-radius: 0;

      top: -10px;
      right: -10px;
    }
  }

  .cookieNotice {
    height: 0px;

    position: fixed;
    z-index: 1000;
    bottom: 0;

    background-color: transparent;
    overflow: visible;
    transition: 0.5s;



    color: #000 !important;

    border: 0px solid #000000;

  }

  @media only screen and (max-width: 768px) {
    .cookieNotice {
      width: 100%;
      border-radius: 0px;
      -moz-border-radius: 0px;
      -webkit-border-radius: 0px;
    }
  }


  #page-content {
    transition: margin-bottom .5s;
    padding: 16px;
  }
</style>
            
            <script>

  (function () {

    var getParameterByName = function (name, url) {
      if (!url) url = window.location.href;
      name = name.replace(/[\[\]]/g, '\\$&');
      var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
        results = regex.exec(url);
      if (!results) return null;
      if (!results[2]) return '';
      return decodeURIComponent(results[2].replace(/\+/g, ' '));
    }
    var getParentAnchor = function (element) {

      while (element !== null && !(element instanceof HTMLDocument)) {
        if (element.tagName.toUpperCase() === "A") {
          return element;
        }
        element = element.parentNode;
      }
      return null;
    };

    if (document.title === '404') {
      _satellite.track("error",
        { "errorType": "404", "pageURL": document.location.href }
      );

    }

    document.addEventListener('click', function (event) {
      var downloadFiles = [".pdf", ".exe", ".zip",".gzip",".gz",".tar",".jar",".bin",".dmg",".tgz",".mp4"];
      var videoSourceFound = "";
      var elem = getParentAnchor(event.target)
      if (elem !== null) {
        var urlSplit = elem.href.split("/");
        if (elem.matches("a.twitter-share") || elem.matches("a.facebook-share") || elem.matches("a.linkedin-share") || elem.matches("a.email-share")) {
          _satellite.track("social_share",
            { "socialName": elem.className.split('-')[0] }
          );
        }
        else if (elem.hasAttribute("data-lity")) {
          var videoSources = { scene7: "s7d2.scene7.com", youtube: ["youtu.be", "youtube.com"], vimeo: "vimeo.com" };
          for (var key in videoSources) {
            if (videoSources.hasOwnProperty(key)) {
              if (Array.isArray(videoSources[key])) {
                videoSources[key].forEach(function (domain, i) {
                  if (elem.href.indexOf(domain) > -1) {
                    videoSourceFound = key;
                  }
                });

              } else {
                if (elem.href.indexOf(videoSources[key]) > -1) {
                  videoSourceFound = key;
                }
              }
            }
          }
          if (videoSourceFound !== "") {
            var linkHref = videoSourceFound === "scene7" ? getParameterByName("asset",elem.href): elem.href;
            _satellite.track("video", {
              "linkHref": linkHref,
              "videoPlatform": videoSourceFound,
              "linkText": elem.text.trim()
            });
          }

        }
        else if (elem.text.toLowerCase().indexOf("subscribe") > -1 || elem.text.toLowerCase().indexOf("register for updates") > -1) {
          _satellite.track("subscribe",
            { "linkText": elem.text.trim() }
          );
        }
        else if (elem.text.toLowerCase().indexOf("contact us") > -1 || elem.text.toLowerCase().indexOf("contact sales") > -1) {
          _satellite.track("contact_us",
            { "linkText": elem.text.trim() }
          );
        }
        else if (!(elem.host.indexOf(window.location.host) > -1) && elem.href !== "" && videoSourceFound == "") {
          _satellite.track("site_exit", {
            "site": elem.hostname
          });
        }

        for (var i = 0; i < downloadFiles.length; i++) {
          if (elem.href.toLowerCase().indexOf(downloadFiles[i]) > -1) {
            var fileName = urlSplit[urlSplit.length - 1];
            _satellite.track("download",
              { "fileName": fileName }
            );
          }
        }
      }
    }, false);


  })();


</script>



<script>
    function getGclidQueryParameter(p) {
      var match = RegExp('[?&]' + p + '=([^&]*)').exec(window.location.search);
      return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
    }

    function getExpiryRecord(value) {
      var expiryPeriod = 90 * 24 * 60 * 60 * 1000; // 90 day expiry in milliseconds

      var expiryDate = new Date().getTime() + expiryPeriod;
      return {
        value: value,
        expiryDate: expiryDate
      };
    }

    function addGclid() {
      var gclidParam = getGclidQueryParameter('gclid');
      var gclidFormFields = ['gclid_field']; // all possible gclid form field ids here
      var gclidRecord = null;
      var currGclidFormField;

      var gclsrcParam = getGclidQueryParameter('gclsrc');
      var isGclsrcValid = !gclsrcParam || gclsrcParam.indexOf('aw') !== -1;

      gclidFormFields.forEach(function (field) {
        if (document.getElementById(field)) {
          currGclidFormField = document.getElementById(field);
        }
      });

      if (gclidParam && isGclsrcValid) {
        gclidRecord = getExpiryRecord(gclidParam);
        localStorage.setItem('gclid', JSON.stringify(gclidRecord));
      }

      var gclid = gclidRecord || JSON.parse(localStorage.getItem('gclid'));
      var isGclidValid = gclid && new Date().getTime() < gclid.expiryDate;

      if (currGclidFormField && isGclidValid) {
        currGclidFormField.value = gclid.value;
      }
    }

    window.addEventListener('load', addGclid);
  </script>
        
    </body>
</html>
